Easy Desk Newsletters

Previous - Next - All Newsletters

Tracking down a Trojan, Worm, and Adware

Recently a good customer emailed me a mp3 file, titled "Piano and Balls". Since the email was from someone I know who often sends me attachments and the email note confirmed that he sent it, knowingly, I opened it. Was that ever a mistake!!

After clicking on the mp3 file to open it, within a few seconds my Zone Alarm started asking questions about allowing file access to the Internet. I told Zone Alarm it was OK for the first several files, but then when it asked again I got a little suspicious. So I look at what file name wanted access. It was one file name I never saw before, Setup_Incred_4.exe. I immediately "locked all access" to the Internet, Control-Alt-Delete to close all running applications.

I then clicked the WinSafe Exit Icon, it reported that "Updater" was added to the HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run Key. And that HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ explorer\ Browser Helper Objects\ had a new Key added - {5D60FF48-95BE-4956-B4C6-6BB168A70310}, and files have been added to the C:\ and Windows folder along with the System folder. It reported that files would change names and be moved when I rebooted.

Well now I was in for some work. I did a "System File Report" with WinSafe and it showed me all the file names that were added, so I located and deleted them. These files included Twaintec.dll, voffup.exe, Setup_Incred_4.exe, Im64.dll, In10b6s.dll, 96wu19rd.exe, Atpartners.dll, Bdla4012.dll, and the Run key point to the file C:\Program Files\Common files\updater\wupdater.exe. I did a search for all files that were created the same date as Twaintec.dll had. All downloaded files will have a creation date of the date that they were downloaded. Unless they are inside a Zip, cab or self extracting file, you can view the contents of these type files.

I deleted all the Registry entries that were added. I open " Open Regedit " and started tracking all the pointers. The Browser Helper Key that was added belonged to Twaintec.dll. These Browser Help keys all point to CLSID Keys. I viewed the Key CLSID\{5D60FF48-95BE-4956-B4C6-6BB168A70310} key, taking note of the ProgID value and the TypeLib value.

But I was sure this was not all of it. So I decided to add some tools to Registry Drill . One that will search, replace, delete, find pointers, report and go to the Key. The Alfa version was ready the next day, enough for me to use. Using just the file names, and the names of the Keys that I found were added I found about 20 more keys that needed to be deleted. So the new tools in Registry Drill proved to be more than worth the time spend making it. By the way this new tool is now available in version 2.0 of Registry Drill.

This was more than a Trojan, it also was a worm "AdClicker". The value set to the Browser Key was "NavErrRedir Class", just something to send me on a wild goose chase. But searching out everything I found the CLSID\ { 00000EF1-0786-4633-87C6-1AA7A44296DA} Key pointing to the ProgID Key "F1 Organizer Class", which led the search on farther.

Anyway, this was a good lesson for me, why wasn't Repellent on, I guess I was lazy. The AdClicker-O McAffee caught soon after I locked the Internet; but it only quarantined the file. It did nothing with the Registry entries.

I though to myself how did the mp3 file contain a payload? Mp3 files at videos and not executables. So I decided to open my Windows Media Player to see its recent file list. Zone Alarm instantly popped up and asked permission for Windows\Temp\Glcf112.tmp and Glmf120.tmp to access the Internet. Now I know something else is going on. I checked the Zone Alarm file and notice there were many entries with similar tmp files asking to access the Internet. This now led me to believe that the tmp files were really DLLs file in disguise - very interesting. So some program is calling these DLL (tmp) files to do its nasty work.

I then started the WinSafe Exit Icon only to find out that AtPartners.dll and 96wu19rd.exe were added to my system folder again. When I listed the files in the Windows Explore to show newest dates so I could delete AtPartners.dll and 96wu19rd.exe, I saw the Im64.dll and the In10b6s.dll were back also, in fact they were all back. I decided to look at the Windows Media Player file, Wmplayer.exe and it had the date of the date I got that email with the Mp3 file. It also have a setup Icon and the file size was 3 times the original file. Now I found the villain!!

I deleted all the files and ran the setup_wm.exe file which will download a current version of the Windows Media Player. Then I locked the Internet with Zone Alarm, and got Registry Drill out to help find all the Keys in the Registry that needed to be deleted.

So what am I telling you? That sometimes the programs you least expect, can have spyware, adware, or a Trojan. Who would have suspect the Windows Media Player to be a Trojan. It wasn't originally, the Mp3 file that was 2.6 megs was and it replaced Wmplayer.exe (Windows Media Player) with the Trojan file. The Trojan file would play videos but it was also doing its own thing as well, disturbing the Adware, auto downloader, spyware, and more.

If it was not for WinSafe , it would have taken me sometime to find the added files, and if it was not for Registry Drill 's new tools I would have spent days trying to find all the other added files buried in the Program Files/Common Files sub folders and all the Keys in the Registry. This was a slick Trojan.

AtPartners.dll - Trojan, auto downloader of 3rd party software to your machine
96wu19rd.exe - Trojan called TrojanDropper.Win32.Small.gt
Setup_Incred_4.exe - Worm, AdClicker
Twaintec.dll - Trojan spyware called Trojan.Spy.BiSpy.C
The DLLs, were Adware files

 

About Us | Privacy Policy | Contact Us | FAQ|Help Files |Humor|©2009 Easy Desk Software